Computer system security dashboard

ABSTRACT

A computing system security dashboard is provided for presentation on a computer display device, the dashboard including a plurality of security view panes. Each security view pane, when expanded, presents a respective visualization of security conditions of a particular computing system. When the particular security view pane is collapsed it can hide at least a portion of particular visualizations of security conditions presented using the particular security view pane when expanded. The particular security view pane occupies a smaller area of the dashboard when collapsed than when expanded. A particular visual indicator is presented on the particular security view, at least when collapsed, summarizing at least a portion of the particular security conditions identified in the particular visualizations. A user interaction with the particular collapsed security view pane can prompt the particular security view pane to be expanded in area and present the particular visualizations.

This patent application claims the benefit of priority under 35 U.S.C. §120 of U.S. Provisional Patent Application Ser. No. 61/531,936, filedSep. 7, 2011, entitled “COMPUTER SYSTEM SECURITY DASHBOARD”, which isexpressly incorporated herein by reference in its entirety.

TECHNICAL FIELD

This disclosure relates in general to the field of computer securityand, more particularly, to visualizing security status of computersystems.

BACKGROUND

The Internet has enabled interconnection of different computer networksall over the world. The ability to effectively protect and maintainstable computers and systems, however, presents a significant obstaclefor component manufacturers, system designers, and network operators. Awide variety of products and services have been developed and adopted byorganizations to monitor and manage security of computing systems. Suchsecurity products can include security tools such as antivirus tools,antimalware tools, security policy compliance monitors, firewalls,network security tools, virtualization security tools, email securitytools, etc. Typically, enterprises adopt combinations of such securitytools according to the priorities and demands of the organization. Userinterfaces of these tools can present various metrics andrepresentations of security results for use by administrators inmonitoring, analyzing, and managing aspects of a computer system'ssecurity.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified schematic diagram of a computing system includingone or more security tools in accordance with one embodiment;

FIG. 2 is a simplified block diagram of an example system including atleast one tool adapted to generate a security dashboard user interfacein accordance with one embodiment;

FIGS. 3A-3B are screenshots of an example security dashboard userinterface in accordance with one embodiment;

FIGS. 4A-4D are block representations of example user interfaces for oneor more computer security tools in accordance with at least someembodiments;

FIGS. 5A-5B are schematic illustrations of example collapsible securityuser interfaces in accordance with at least some embodiments;

FIGS. 6A-6F are block representations of user interactions with examplesecurity user interfaces in accordance with at least some embodiments;and

FIG. 7 is a simplified flowchart illustrating example operationsassociated with at least some embodiments of the system.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview

In general, one aspect of the subject matter described in thisspecification can be embodied in methods that include the actions ofproviding a computing system security dashboard for presentation on acomputer display device, the dashboard including a plurality of securityview panes. Each security view pane, when expanded, can present arespective visualization of security conditions of a particularcomputing system. When the particular security view pane is collapsed itcan hide at least a portion of particular visualizations of securityconditions presented using the particular security view pane whenexpanded. The particular security view pane can occupy a smaller area ofthe dashboard when collapsed than when expanded. A particular visualindicator can be presented on the particular security view, at leastwhen collapsed, summarizing at least a portion of the particularsecurity conditions identified in the particular visualizations. A userinteraction with the particular collapsed security view pane can beidentified prompting the particular security view pane to be expanded inarea and present the particular visualizations.

Further, in another general aspect, a system can be provided includingat least one processor device, at least one memory element, and adashboard engine. The dashboard engine, when executed by the processor,can provide a computing system security dashboard for presentation on acomputer display device, the dashboard including a plurality of securityview panes, and can further identify user interactions with securityview panes in the dashboard. Each security view pane, when expanded, canpresent a respective visualization of security conditions of aparticular computing system. When the particular security view pane iscollapsed it can hide at least a portion of particular visualizations ofsecurity conditions presented using the particular security view panewhen expanded. The particular security view pane can occupy a smallerarea of the dashboard when collapsed than when expanded. A particularvisual indicator can be presented on the particular security view, atleast when collapsed, summarizing at least a portion of the particularsecurity conditions identified in the particular visualizations. A userinteraction with the particular collapsed security view pane can beidentified prompting the particular security view pane to be expanded inarea and present the particular visualizations.

These and other embodiments can each optionally include one or more ofthe following features. The particular visual indicator can identify thepresence of a representation of (or other data pertaining to) aparticular security condition in the particular visualization. Theparticular security condition can be at least one of a critical securityevent, abnormality, vulnerability, or threat detected by at least onesecurity tool. The particular visual indicator can be a stoplightindicator presented in red for detection of at least one negativesecurity condition and presented in green in the absence of at least onedetected negative security condition. The particular visual indicatorcan identify the absence of at least one negative security conditionwithin the particular computing system. The particular visualization ofthe particular security view pane can include an interactivevisualization of particular security conditions. Interaction with theparticular visualization by a user can cause another visualization ofthe particular security conditions to be presented within the particularsecurity view pane. The particular visualization can represent theparticular security conditions at a first level of abstraction and theother visualization represents the particular conditions at a secondlevel of abstraction. Interaction with the particular visualization caninclude user inputs in connection with the performance of a particularsecurity task. Indeed, interaction with the particular visualization cancause at least on interface to populate the particular security viewpane, the interface adapted to receive the user inputs. A plurality ofthe security view panes included in the dashboard can be in an expandedstate. A plurality of the security view panes included in the dashboardcan be in a collapsed state. Each security view pane in the plurality ofcollapsed security view panes can include a respective visual indicatorsummarizing at least a portion of the particular security conditionsidentified in visualizations of the corresponding security view pane.Each visual indicator can mimic a visualization technique used invisualizations of the corresponding security view pane. Further, atleast one visual indicator of the plurality of collapsed security viewpanes can be of a type different from that of the particular visualindicator.

Further, embodiments can include one or more of the additional,following features. The plurality of security view panes can include auser-selected subset of security view panes from a set of availablesecurity view panes. A user interaction with the particular securityview pane can be identified. The positioning of the particular securityview pane can be changed relative to at least one other security viewpane in the plurality of security view panes based on the userinteraction. Changing the positioning of the particular security viewpane can cause at least one other security view pane in the plurality ofsecurity view panes to be repositioned to accommodate the changing ofthe positioning of the particular security view pane. The userinteraction can move the particular security view pane to a primaryviewing area included in the dashboard. Positioning a security view panewithin the primary viewing area can cause the security view pane to beexpanded horizontally. The primary viewing area can occupy a positionsubstantially near the top of the dashboard. The primary viewing areacan be adapted to collapse when not occupied by at least one securityview pane. The dashboard engine can be further adapted to provide aprimary viewing area in the dashboard. A dashboard engine can alsointerface with one or more security tools adapted to perform one or moresecurity tasks, and the dashboard engine can be further adapted to allowusers to initiate the one or more security tasks via the particularsecurity view pane.

Some or all of the features may be computer-implemented methods orfurther included in respective systems or other devices for performingthis described functionality. The details of these and other features,aspects, and implementations of the present disclosure are set forth inthe accompanying drawings and the description below. Other features,objects, and advantages of the disclosure will be apparent from thedescription and drawings, and from the claims.

Example Embodiments

FIG. 1 is a simplified block diagram illustrating an example embodimentof a computing system 100 including a dashboard server 105 adapted toprovide a security dashboard for display on one or more client endpointdevices 110, 115, 120 providing information concerning the status of oneor more target systems (e.g., 140). Dashboard server 105, in someimplementations, can operate in connection with one or more securityservers 125, 130 and be used to present an improved security dashboardto users to help administrators manage security of one or more targetsystems 140. Security tools hosted, for example, by security servers125, 130 can generate and collect security data (e.g., 160, 165) inconnection with the performance of a variety of security tasks performedon computing devices, network elements, private networks, software,security countermeasures, and other devices, software, systems, andcomputing resources within a target system 140. Dashboard server 105 canbe used to generate infographics and interactive presentations fromsecurity data 160, 165 to convey system security status informationconveniently and visually to administrators of the target system. Insome instances, one or more of security servers 125, 130, clients 110,115, 130, and dashboard server 105 can be remote from and communicateover one or more networks 170 with target system 140, as well as othersystem components (e.g., other servers, client devices, etc.).

In general, “servers,” “clients,” “devices,” “endpoints,” “computers,”and “computing devices” (e.g., 105, 110, 115, 120, 125, 130, 140), andas used herein, can comprise electronic computing devices operable toreceive, transmit, process, store, or manage data and informationassociated with the software system 100. As used in this document, theterm “computer,” “computing device,” “processor,” or “processing device”is intended to encompass any suitable processing device. For example,the system 100 may be implemented using computers other than servers,including server pools. Further, any, all, or some of the computingdevices may be adapted to execute any operating system, including Linux,UNIX, Windows Server, etc., as well as virtual machines adapted tovirtualize execution of a particular operating system, includingcustomized and proprietary operating systems.

Servers, clients, and computing devices (e.g., 105, 110, 115, 120, 125,130, 140) can each include one or more processors, computer-readablememory, and one or more interfaces. Servers can include any suitablesoftware component or module, or computing device(s) capable of hostingand/or serving software applications and other programs, includingdistributed, enterprise, or cloud-based software applications. Forinstance, application servers can be configured to host, serve, orotherwise manage web services or applications, such as SOA-based orenterprise web services, or applications interfacing, coordinating with,or dependent on other enterprise services, including security-focusedapplications. In some instances, some combination of servers can behosted on a common computing system, server, or server pool, and sharecomputing resources, including shared memory, processors, andinterfaces, such as in an enterprise software system serving services toa plurality of distinct clients and customers.

Computing devices (e.g., 105, 110, 115, 120, 125, 130, 140) in system100 can also include devices implemented as one or more local and/orremote client or endpoint devices, such as personal computers, laptops,smartphones, tablet computers, personal digital assistants, mediaclients, web-enabled televisions, telepresence systems, and otherdevices adapted to receive, view, compose, send, or otherwiseparticipate in the management of computing system security. A client orendpoint devices can include any computing device operable to connect orcommunicate at least with servers, other endpoint devices, network 170,and/or other devices using a wireline or wireless connection. Eachendpoint device can include at least one graphical display device anduser interface devices, allowing a user to view and interact withgraphical user interfaces of computer security tools and other software.In general, endpoint devices can include any electronic computing deviceoperable to receive, transmit, process, and store any appropriate dataassociated with the software environment of FIG. 1. It will beunderstood that there may be any number of endpoint devices associatedwith system 100, as well as any number of endpoint devices external tosystem 100. Further, the term “client,” “endpoint device,” and “user”may be used interchangeably as appropriate without departing from thescope of this disclosure. Moreover, while each endpoint device may bedescribed in terms of being used by one user, this disclosurecontemplates that many users may use one computer or that one user mayuse multiple computers.

Endpoint devices (e.g., 110, 115, 120) can include one or more userinterface devices, such as a keypad, touch screen, mouse, or otherdevice that can accept information and output devices, such as monitors,touchscreens, and other devices that conveys information associated withoperations and functionality of tools, services, and applicationsprovided through system 100. Graphical user interfaces (or GUIs) ofsoftware-based tools, services, and applications provided through system100 can allow the user to interface with at least a portion ofenvironment 100 for any suitable purpose, including allowing a user tointeract with one or more software applications, including computersecurity tools and a system security dashboard aggregating informationcollected and generated from such tools. Generally, a GUI provides userswith an efficient and user-friendly presentation of data provided by orcommunicated within the system. The term “graphical user interface,”“user interface,” or “GUI, may be used in the singular or in the pluralto describe one or more graphical user interfaces and each of thedisplays and controls of a particular graphical user interface.Therefore, a GUI can be any graphical user interface, such as a webbrowser, touch screen, or command line interface (CLI) that processesinformation in the environment 100 and efficiently presents the resultsto the user. In general, a GUI can include a plurality of user interfaceelements such as interactive fields, pull-down lists, media players,tables, graphics, virtual machine interfaces, buttons, etc. operable bythe user at an endpoint device. Such user interface elements may beparticularly related to and adapted for the functions of a systemsecurity dashboard or particular panes, views, and windows includedwithin implementations of a system security dashboard.

While FIG. 1 is described as containing or being associated with aplurality of elements, not all elements illustrated within system 100 ofFIG. 1 may be utilized in each alternative implementation of the presentdisclosure. Additionally, one or more of the elements described hereinmay be located external to system 100, while in other instances, certainelements may be included within or as a portion of one or more of theother described elements, as well as other elements not described in theillustrated implementation. Further, certain elements illustrated inFIG. 1 may be combined with other components, as well as used foralternative or additional purposes in addition to those purposesdescribed herein.

Modern security administrators can employ a variety of tools andfunctionality in connection with managing and analyzing security statusof one or more computing systems. Security tools have been developedthat can provide focused and robust data and analysis describingconditions within a system, including the automated detection ofimportant security alerts, events, threats, vulnerabilities, and otherconditions. A variety of different and useful interfaces, views, datapresentations, representations, and infographics can be provided andgenerated in connection with a suite or other collection of securitytools used in a modern system security environment. However, given thewide variety and number of tools, functionality, views, and analysesgenerated and available to security administrators using a systemsecurity environment, administrators can quickly become overwhelmed withthe deluge of data available to them. Dashboards that attempt tosummarize such information to users can be similarly overwhelming, as itcan be very difficult to effectively present, in a single interface, allof the information and views pertaining to a system's security andsecurity tools to an administrator at a given time and in a manner thatallows the user to conveniently multitask and monitor several aspects ofa system's security. Consequently, previous systems tended to compromiseon the comprehensiveness of data presented to an administrator in anattempt to simplify presentations of security status data to theadministrator. Such techniques, however, can result in other importantsecurity status data not being presented to the user in sufficientdetail, or at all. On the other hand, more comprehensive securityinterfaces can cause important security events to get lost in a crowd ofinformation, or to be presented off-screen (e.g., forcing a user to haveto scroll down the interface window or toggle to different pages orinterfaces to view the information).

Computing system 100, in some implementations, can resolve many of theissues identified above pertaining to in adequate security statusinterfaces. For instance, improved system security dashboards can begenerated and provided with functionality giving administrator-usersmore control and presenting information in a more manageable andstreamlined fashion, among other features and advantages. As an example,in the schematic representation 200 of FIG. 2, a front end server 202 isshown for providing end-users (e.g., at devices 210, 215, 220)interfaces and access to security tools, such as tools served bysecurity servers 230, 235 monitoring one or more target computingsystems. Front end server 202 can include one or more processors 245 andmemory 250, as well as a dashboard engine 205 adapted to generate asecurity dashboard providing a plurality of security status views to anadministrator based on data, analysis, and results performed or providedby security servers 230, 235. Dashboard engine 205 can include a panemanager 255, infographic engine 260, device manager 265, authenticationengine 270, and task engine 275, among other modules, functionality, andcombinations of the foregoing.

Dashboard engine 205 can be adapted to develop interactive dashboardinterfaces capable of being rendered and presented on one or moredifferent endpoint devices, including different types of endpointdevices (e.g., 210, 215, 220). Interactive dashboards generated bydashboard engine can be dynamically customizable by user-administrators,allowing an administrator to have important security status summariespresented to the administrator, while concurrently allowing theadministrator the option to “drill-down” into the data and details ofparticular security status views, for instance, in an attempt todiagnose or remedy a particular security issue identified using thedashboard. Each of the plurality of computer security views can bepresented in one or more particular windows, or panes, presented withinthe dashboard user interface or window. For instance, FIGS. 3A-3Billustrate screenshots 300 a-b of an example security dashboard 305capable of being generated using dashboard engine 205.

As shown in FIG. 3A, a security dashboard can include a plurality ofinteractive panes 310, 315, 320, 325, 330, 335, 340, each presenting aview of security status information corresponding to a particularsystem. Views presented in the dashboard panes can relate to certainsecurity considerations, threats, vulnerabilities, etc. of one or moredifferent system components or subsystems. As an example, pane 310 caninclude views of incoming email traffic within a system, as well as thestatus thereof. Pane 310 is expanded, in each of the screenshots ofFIGS. 3A-3B, showing an infographic 345 illustrating the number ofquarantined, queued, bounced, blocked, and delivered emails receivedchronologically over a period of time (e.g., 1:00 AM to 3:00 AM). Panescan include multiple views, as in the example of pane 310 including agraph 346 showing overall incoming email traffic, and a sortable table348 showing details of individual emails corresponding to the emailtraffic modeled in the views of infographic 345.

As shown in example pane 310 of FIG. 3A, views (e.g., 345, 346, 348)organized and presented in a particular dashboard pane (e.g., a panerelating to a particular security status type, such as incoming email ofa system as in pane 310) can provide robust and varied informationincluding alternate presentations and visualizations of the informationto users managing security of a system. In some instances, however, thelevel of detail provided by a particular expanded pane can provide moreinformation, and information at a higher level of detail, than isimmediately desired by a particular user. Accordingly, in someimplementations, at least some panes in a security dashboard 305 can becollapsible, so as to be at least partially minimizing. For instance, inthe example of FIG. 3A, panes 320, 325, 335, 340 are shown in acollapsed state.

By allowing certain dashboard panes to be selectively and dynamicallycollapsed (and, alternatively, expanded) administrators can have bettercontrol over what information is presented to the user at a given time.For instance, having several robust views presented in multiple expandeddashboard panes can overwhelm the user with too many different views anddetails relating to potentially distinct and independent security statusissues. While robust security views can, in isolation, be particularuseful, too many can overwhelm or distract users, thereby reducing theoverall usefulness of the dashboard. This can be particular problematicwhen the complexity of a dashboard inhibits an administrator fromreacting swiftly to time-sensitive security issues and notificationspresented using the dashboard. Additionally, given the variety ofsecurity status information, tasks, issues, tools, and considerationsavailable to administrators using suites and combinations of modernsecurity tools, space within a security dashboard can be limited and maynot allow all of the relevant security views to be concurrentlypresented or available to an administrator, again threatening theadministrator's potential effectiveness recognizing, diagnosing, andremedying security issues as they develop. Accordingly, by providingcollapsible panes and security views, more panes can be included withina single dashboard user interface, potentially negating users having toscroll around or page through views of a dashboard in order to see theentirety of the dashboard and views and panes of interest to theadministrator.

As shown in FIG. 3B, as users determine that they desire to view more ofthe content and views of a particular pane, users can interact with thedashboard and elect to expand or maximize or otherwise expand collapsedpanes. For instance, each of panes 320, 325, 335, 340, collapsed in FIG.3A, are shown in their expanded form in FIG. 3B. In someimplementations, users can control whether a pane is expanded orcollapsed using a control, such as control 350. Additionally, not onlycan collapsed panes be expanded, expanded panes can be selectivelycollapsed, effectively minimizing the pane. As illustrated in theschematic representations 400 a-d of FIGS. 4A-4D, dashboard panes can becollapsed and expanded in a variety of combinations according to theselections of the user. Indeed, all dashboard panes can be concurrentlycollapsed (as in FIG. 4C) or expanded (such as in FIG. 3B).

Simply minimizing a security pane or view, however, can be potentiallyhazardous, as it can result in important security issues and trendsbeing missed. Further, it can be difficult, if not impossible, in someinstances, for a given user to accurately anticipate or predict when aparticular security view should be observed. Accordingly, it can beideal to concurrently present at least partial views of each securitypane within a security dashboard 305. Given that screen space can bescarce within the dashboard, rather than opening or maximizing each panein a dashboard, in some implementations, security summary information,infographics, or other security status indicators can be provided andpresented within a pane in its collapsed form. While such collapsedindicators may not provide the level of detail available within theexpanded pane, such collapsed indicators can nonetheless provide anabbreviated overview of particular security status information includedin expanded views of the pane that can be used to alert administratorsabnormalities or issues pertaining to aspects of system securityaddressed in the pane.

To illustrate, in FIG. 3A, collapsed panes 320, 335, 340 can includeoverview indicators 355, 360, 365 that provide general visual summariesof important events and trends described within the body of the panewhen expanded. For instance, collapsed pane 320 includes a miniaturizedtrendline indicator 355 corresponding to aggregate outgoing traffictrendline view 370 included within the body of expanded pane 320 b shownin FIG. 3B. While an administrator may not have immediate access to allof the details and views of expanded pane 320 b, an administrator cannonetheless observe general conditions and status described in thecollapsed body of the pane 320 a by virtue of overview indicator 355.Indeed, observing overview indicators can prompt a user to expand thepane to investigate conditions and additional details illustrated in thepane's expanded views (such as shown in pane 320 b in FIG. 3B).Likewise, collapsed panes 335 a, 340 a can also include overviewindicators that can allow a user to “peek” into the security statusconditions illustrated in the hidden views of the collapsed pane (e.g.,335 a, 340 a) while preserving dashboard space for users to viewexpanded panes (e.g., 310, 315, 330) that may currently be of higherpriority to the user.

FIGS. 5A-5B are schematic illustrations 500 a-b of yet two additionalexample collapsible security dashboard windows. For instance, in FIG.5A, a dashboard window 502 a including a set of panes 505, 510, 515 isshown, first with the panes in collapsed state (505 a, 510 a, 515 a) andthen in expanded state (505 b, 510 b, 515 b). In each of panes 505 and510, an overview indicator 520, 525 is shown in a first color denotingan error, threat, vulnerability, or other event that is likely ofinterest to a security administrator. In pane 515, however, overviewindicator 530 (of a type similar to overview indicators 520, 525) isshown with a color different than the color of overview indicators 520,525, the color of overview indicator 530 indicating that no currentcritical events have been detected (e.g., be security tools running onthe target system). As shown in pane 510, describing security status ofsystem hardware, at least one event has been detected (e.g., a problemwith disks within the system) indicated by a particular alert indicator535. This single instance (e.g., at 535) of a negative or critical event(e.g., relating to system disks) within the greater set of hardwaresecurity status summaries (e.g., also including security statussummaries and trend lines for system CPUs, network status, RAID status,etc.), can trigger an alert overview indicator (e.g., 520, 525) to bepresented in the pane in at least its collapsed state (e.g., 505 a, 510a) indicating to a user that it may be desirable to expand the panes tofurther evaluate the detected issues.

FIG. 5B, similar to FIG. 5A, shows a pane 560 alternately in a collapsedstate (560 a) and expanded state (560 b). In the example of pane 560, atrendline infographic is again shown, however, rather than a color-basedoverview indicator, a miniaturized trendline overview indicator 565 isincluded in collapsed pane 560 a that mimics a full-size trendline-typeinfographic 570 presented in the pane 560 b in its expanded state. As avariety of different pane layouts, infographics, and content can beincluded within panes used and included within a security dashboard,together with panes addressing and representing a wide variety ofsecurity status, a variety of different types and forms of overviewindicators can be provided in collapsed panes to assist users inobtaining generalized summaries of security status informationrepresented and presented within panes of a security dashboard.

Returning to FIG. 2, an infographic engine 260 can provide functionalityfor generating views and infographic content included within the panes,as well as converting security data (e.g., from security servers 230,235) into infographic representations. Indeed, infographic engine 260can also be used to provide logic for generating and presenting overviewindicators (e.g., 355, 360, 365) in collapsed dashboard panes. Further,a pane manager 255 of dashboard engine 205 can provide logic andfunctionality for dynamically collapsible dashboard panes, such as shownin FIGS. 3A-4D, as well as other functionality. For instance, in someimplementations, users can drag and rearrange dashboard panes within thedashboard window while the dashboard panes present and update securitystatus data and graphics to a user. In addition to permitting users tointeract with the dashboard user interface to collapse panes ofimmediate secondary interest and expand higher priority panes, panemanager 255 can provide UI logic allowing users to reorder, stack, orrearrange panes as they desire so as to optimize viewing of particularpanes. Additionally, in some implementations, users can not onlyrearrange and vertically expand dashboard panes, but also promote panesto a “full screen” pane, resulting in the pane being expandedhorizontally across a dashboard window. In other words, dashboard panescan be added, removes, resized, and rearranged during live operation ofthe security dashboard.

FIGS. 6A-6F are block representations 600 a-f of user interactions withexample security dashboard windows provided, for instance, usingdashboard engine 205 and pane manager 255. In FIG. 6A, an initialdashboard window configuration 600 a is shown with six securitydashboard panes A-F, each providing corresponding views of securitystatus information for a computing system. In some instances, thenumber, type, and location of the dashboard panes can be selected by auser. Further, while using the security dashboard to monitor thesecurity status and events of a system, the user can manipulatedashboard panes. Not only can the user collapse and expand panes, theuse can, in some implementations, also dynamically rearrange, resize,add, and remove panes from the dashboard window. Additionally, in someimplementations, a “full size” viewing option can be provided forhorizontally expanding dashboard panes, activated, for instance, byselecting a full-size option or by dragging a pane into a designatedarea (e.g., 605) of the dashboard window 600. For instance, in FIG. 6B,a user can drag pane B into the primary viewing area 605, resulting inpane B being positioned above the remaining panes in the window 600 band expanding horizontally. In this example case, pane B expands acrossthe width of the dashboard window 600 b in response to being dragged anddropped into the primary viewing area 605. Additionally, moving pane Bfrom its original position (in FIG. 6A) to its new position (in FIG. 6B)can result in other panes being automatically relocated to accommodatepane B's change of position. For instance, in the example of FIG. 6B,panes A, D, E, and F are pushed downward by the repositioning of pane Bwithin the primary viewing area 605. Moreover, in some implementations,if no pane is positioned within a defined primary viewing area 605within a dashboard interface, the primary viewing area 605 can becollapsed or hidden (such as in FIG. 6A), until a pane is placed near,at, or within the primary viewing area.

In some implementations, more than one dashboard pane can be positionedwithin the primary viewing area 605 at a given time. For example, inFIG. 6C, pane E is also moved into primary viewing area 605 with pane B.This may be desirable, for instance, when the content of more than onepane is the focus of a user, such as when the security informationpresented and synthesized within panes B and E bear an importantrelation to each other, for instance, in connection with a particularsecurity event being monitored by the user. Accordingly, the user maydesire to expand panes B and E and, at least temporarily, make thesepanes the focal point of the dashboard window 600 c. In some instances,rather than having multiple panes occupy the primary view area 605, auser can replace pane B with pane E, and cause pane B to revert back toits default horizontal width, as shown in FIG. 6D. The removal of pane Bfrom primary viewing area 605 can be caused by the user dragging pane Bout of the primary viewing area 605 or by selecting a control or optionto return pane B to its original horizontal width and/or position.Moreover, in some implementations, primary viewing area 605 can limitthe number of different panes that can be included in the viewing areaat a given time. In such implementations, the positioning of a pane(e.g., pane E) might cause a pane (e.g., pane B), previously positionedwithin the viewing area 605, to be automatically removed from theprimary viewing area 605 to accommodate the newly-positioned pane.

Turning to FIG. 6E, panes can be added or removed from dashboard window600 in response to user commands and interactions and while the userviews and manages system security using the security dashboard. Forexample, as shown in FIG. 6E, a new pane G can be selected by a user tobe added, at least temporarily, to dashboard window 600 e. The user canadd or remove panes from the dashboard window in connection with themanagement of system security, allowing the user to observe and focus onparticular security settings and information provided using the variouspanes according to the activities and goals of the user at a given time.Such panes can be selected from a set of panes larger than would beavailable to be conveniently included within a dashboard interface at agiven time. The new pane G can also be positioned and re-positionedwithin dashboard window 600 e according to the preferences of the user.Accordingly, as in other examples, the addition of new panes (e.g., paneG) to the dashboard window 600, as well as the removal of pre-placedpanes (e.g., panes A-F) from the dashboard window 600, can result in therepositioning of the remaining panes, as is shown in FIG. 6E.

Turning now to FIG. 6F, panes can be expanded vertically, as well ashorizontally, including expanding the pane beyond the expansion thatoccurs when expanded a pane from a collapsed state to an expanded state.For instance, user interactions with views in an expanded pane canresult in new views populating or being added to the pane, such as newviews presenting security data at a more detailed level of abstractionor using alternative or supplemental infographics. Interactions withpane content can also cause additional views or interfaces to belaunched that can be used by the user to edit or modify particularsecurity settings or policies, or to initiate particular security scans,fixes, or other tasks. The pane can expand vertically to accommodate newviews and interfaces populating a given pane. For example, as shown inFIG. 6E, a user can cause pane E to be expanded vertically, forinstance, in response to the user interacting with views and/or contentwithin pane E, such as an infographic, status identifier, securitycategory, system component, taxonomy, or other selectable control orlink included in the pane. Panes not included in primary viewing area605 can also expand vertically in response to new views and/orinterfaces populating the pane in response to user interactions with thepane.

In addition to providing administrator users with the ability toselectively expand dashboard panes and drill-down into data andinfographics conveying security status information, in someimplementations, dashboard pane can provide users with an interface toaccess security tool functionality for remedying detected problems andenacting desired countermeasures and system adjustments. For instance,task engine 275 can be used to provide access to or interface withsecurity tools provided, for example, by security servers 230, 235,allowing a user to launch or otherwise perform security tasks related tosecurity status information represented in one or more securitydashboard panes. As an example, and returning for convenience to theexample of FIG. 5A, a user can attempt to address a detected problemrelating to storage access (indicated by user interface element 550 inpane 505 b). In some instances, a user can interact with pane 505 b andinterface element 550 and select the “Storage Access” element, forinstance, using a mouse or touchpad, to open additional interfaces foruse in changing system configurations, launching a securitycountermeasure or tool (including interfaces of security tools ofsecurity servers 230, 235), editing policy rules, adjusting systemsettings, and other tasks related to managing storage access in thesystem. Indeed, such interfaces can be launched within the body of thecorresponding pane (e.g., pane 505), for instance, causing the pane toexpand to accommodate the security task interface while concurrentlyshowing the security status information giving rise to the user'sattempts to remedy the problem (e.g., as shown in FIG. 6F).

Returning to FIG. 2, security dashboard functionality provided inconnection with managing the positioning and size of user-selectablesecurity dashboard panes can be managed and provided using pane manager255. Other modules can be provided for use in connection with additionalfunctionality of a security dashboard. For instance, device manager 265can be used to automatically detect and adapt presentation of aparticular security dashboard to a particular endpoint device. Forinstance, how panes are initially arranged on a security dashboard canbe affected by the dimensions and resolution of a display device used bythe particular endpoint device. For example, in a display device withwider dimensions, more columns of panes may be presented in thedashboard than in a display device with narrower dimensions, therebyoptimizing the layout of panes within the dashboard. Further, somedisplay devices can dynamically change orientations, such as with moderntouch-screen based smartphones and tablet computers with accelerometersor other sensors for identifying display orientation. Accordingly, forsuch devices, a change in display orientation can cause the orientationand positioning of dashboard panes to be adjusted or changed to optimizethe changed orientation, among other examples.

Further, dashboard engine 205, in some implementations, can be areusable tool or service and can provide or serve security dashboards inconnection with security of a plurality of different target systems, aswell as a plurality of different security tools and security servers. Asdashboard engine 205 can provide multiple security dashboards tomultiple different customers, and given the particular sensitivity ofindividual systems' security, an authentication engine 270 can beprovided to authenticate authorized users, organizations, devices, andsystems prior to granting access to a particular system's securitydashboard. Further, some administrators may only be granted limitedaccess to particular system security information or tools. Accordingly,different permission levels can be provided for different users of aparticular system's security dashboard. Authentication engine 270 can bethus adapted to manage authentication of various users as well as thepermission levels of the users. For instance, some security panesavailable to some users (e.g., with higher permission levels) may not beavailable to other users (i.e., with lower permission levels).Accordingly, certain security panes may not be included in or beavailable to be added to security dashboards presented to particularusers based, for instance, on users' permission levels. This and otherfunctionality relating to authentication and access control of securitydashboards, security tools, and particular security dashboard panes canbe managed and controlled using an authentication engine (e.g., 270).

FIG. 7 is a simplified flowchart 700 illustrating example techniques forproviding an improved security dashboard. For instance, a securitydashboard can be provided 705 for presentation to a user on a computerdisplay device. The security dashboard can include a plurality of panesrepresenting computer security status information to the user. The usercan interact 710 with one or more panes in the presented securitydashboard, including content representing computer security statusinformation. Depending on the type and form of interaction with thesecurity dashboard, and the design (e.g., dimensions, content views,etc.) and functionality of the dashboard pane, the dashboard and/or panecan be altered to accommodate particular security tasks orresponsibilities of the user. For instance, the dashboard pane can becollapsed (if already expanded) or expanded (if already collapsed) (at715) to assist the user in managing the viewing area of the dashboardpresented on a display device. In cases where the dashboard pane iscollapsed, a collapsed view of the pane can include visual indicatorsproviding a summary view of the pane's content (and related securitystatus information) hidden by the collapsing of the pane. Indeed, theexpanding of a collapsed pane can be the result of an overview indicatorpresented on the collapsed pane alerting the user of a potential alertor other item of interest described in more detail within hidden viewsof the collapsed pane. Collapsing or expanding (715) the pane can, insome instances, result in the automatic repositioning 720 of other panesin the dashboard (such as shown and described in the examples of FIGS.3A-4D).

In some instances, such as in connection with, or following, theexpanding of a particular pane, a user can interact 710 withrepresentations of system security state presented in views included inthe expanded pane, to cause additional views, representations, and/orinterfaces to be presented and populated 725 within the pane, such asadditional views and interfaces related to the general security categoryor purpose of the pane. In some instances, populating 725 the pane withadditional views or interfaces can cause the dimensions of the pane toexpand automatically, in some cases, affecting and automaticallyrepositioning 730 other panes included in the dashboard presentation. Insome implementations, interaction with dashboard panes can include thecollection of user inputs for use in connection with the performance ofone or more security tasks in connection with security conditionsrepresented in the dashboard pane.

Collapsed or expanded dashboard panes can be repositioned and rearranged(735) within a dashboard presentations in response to user interactionswith the dashboard and/or affected panes. For instance, a user caninteract 710 with a particular dashboard pane by selecting the pane anddragging and dropping the particular pane to a different location withinthe dashboard (e.g., using a mouse or touchpad display, etc.) toreposition 735 the particular pane within the plurality of panespresented in the dashboard. Further, repositioning one dashboard panecan cause other dashboard panes in the plurality of dashboard panes tobe repositioned 740 to accommodate the moving (or, in some cases,addition or removal) of a particular dashboard pane in response to auser interaction 710.

Although this disclosure has been described in terms of certainimplementations and generally associated methods, alterations andpermutations of these implementations and methods will be apparent tothose skilled in the art. For example, the actions described herein canbe performed in a different order than as described and still achievethe desirable results. As one example, the processes depicted in theaccompanying figures do not necessarily require the particular ordershown, or sequential order, to achieve the desired results. In certainimplementations, multitasking and parallel processing may beadvantageous. Additionally, other user interface layouts andfunctionality can be supported. Other variations are within the scope ofthe following claims.

Embodiments of the subject matter and the operations described in thisspecification can be implemented in digital electronic circuitry, or incomputer software, firmware, or hardware, including the structuresdisclosed in this specification and their structural equivalents, or incombinations of one or more of them. Embodiments of the subject matterdescribed in this specification can be implemented as one or morecomputer programs, i.e., one or more modules of computer programinstructions, encoded on computer storage medium for execution by, or tocontrol the operation of, data processing apparatus. Alternatively or inaddition, the program instructions can be encoded on an artificiallygenerated propagated signal, e.g., a machine-generated electrical,optical, or electromagnetic signal that is generated to encodeinformation for transmission to suitable receiver apparatus forexecution by a data processing apparatus. A computer storage medium canbe, or be included in, a computer-readable storage device, acomputer-readable storage substrate, a random or serial access memoryarray or device, or a combination of one or more of them. Moreover,while a computer storage medium is not a propagated signal per se, acomputer storage medium can be a source or destination of computerprogram instructions encoded in an artificially generated propagatedsignal. The computer storage medium can also be, or be included in, oneor more separate physical components or media (e.g., multiple CDs,disks, or other storage devices), including a distributed softwareenvironment or cloud computing environment.

The operations described in this specification can be implemented asoperations performed by a data processing apparatus on data stored onone or more computer-readable storage devices or received from othersources. The terms “data processing apparatus,” “processor,” “processingdevice,” and “computing device” can encompass all kinds of apparatus,devices, and machines for processing data, including by way of example aprogrammable processor, a computer, a system on a chip, or multipleones, or combinations, of the foregoing. The apparatus can includegeneral or special purpose logic circuitry, e.g., a central processingunit (CPU), a blade, an application specific integrated circuit (ASIC),or a field-programmable gate array (FPGA), among other suitable options.While some processors and computing devices have been described and/orillustrated as a single processor, multiple processors may be usedaccording to the particular needs of the associated server. Referencesto a single processor are meant to include multiple processors whereapplicable. Generally, the processor executes instructions andmanipulates data to perform certain operations. An apparatus can alsoinclude, in addition to hardware, code that creates an executionenvironment for the computer program in question, e.g., code thatconstitutes processor firmware, a protocol stack, a database managementsystem, an operating system, a cross-platform runtime environment, avirtual machine, or a combination of one or more of them. The apparatusand execution environment can realize various different computing modelinfrastructures, such as web services, distributed computing and gridcomputing infrastructures.

A computer program (also known as a program, software, softwareapplication, script, module, (software) tools, (software) engines, orcode) can be written in any form of programming language, includingcompiled or interpreted languages, declarative or procedural languages,and it can be deployed in any form, including as a standalone program oras a module, component, subroutine, object, or other unit suitable foruse in a computing environment. For instance, a computer program mayinclude computer-readable instructions, firmware, wired or programmedhardware, or any combination thereof on a tangible medium operable whenexecuted to perform at least the processes and operations describedherein. A computer program may, but need not, correspond to a file in afile system. A program can be stored in a portion of a file that holdsother programs or data (e.g., one or more scripts stored in a markuplanguage document), in a single file dedicated to the program inquestion, or in multiple coordinated files (e.g., files that store oneor more modules, sub programs, or portions of code). A computer programcan be deployed to be executed on one computer or on multiple computersthat are located at one site or distributed across multiple sites andinterconnected by a communication network.

Programs can be implemented as individual modules that implement thevarious features and functionality through various objects, methods, orother processes, or may instead include a number of sub-modules, thirdparty services, components, libraries, and such, as appropriate.Conversely, the features and functionality of various components can becombined into single components as appropriate. In certain cases,programs and software systems may be implemented as a composite hostedapplication. For example, portions of the composite application may beimplemented as Enterprise Java Beans (EJBs) or design-time componentsmay have the ability to generate run-time implementations into differentplatforms, such as J2EE (Java 2 Platform, Enterprise Edition), ABAP(Advanced Business Application Programming) objects, or Microsoft's.NET, among others. Additionally, applications may represent web-basedapplications accessed and executed via a network (e.g., through theInternet). Further, one or more processes associated with a particularhosted application or service may be stored, referenced, or executedremotely. For example, a portion of a particular hosted application orservice may be a web service associated with the application that isremotely called, while another portion of the hosted application may bean interface object or agent bundled for processing at a remote client.Moreover, any or all of the hosted applications and software service maybe a child or sub-module of another software module or enterpriseapplication (not illustrated) without departing from the scope of thisdisclosure. Still further, portions of a hosted application can beexecuted by a user working directly at a server hosting the application,as well as remotely at a client.

The processes and logic flows described in this specification can beperformed by one or more programmable processors executing one or morecomputer programs to perform actions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read only memory ora random access memory or both. The essential elements of a computer area processor for performing actions in accordance with instructions andone or more memory devices for storing instructions and data. Generally,a computer will also include, or be operatively coupled to receive datafrom or transfer data to, or both, one or more mass storage devices forstoring data, e.g., magnetic, magneto optical disks, or optical disks.However, a computer need not have such devices. Moreover, a computer canbe embedded in another device, e.g., a mobile telephone, a personaldigital assistant (PDA), tablet computer, a mobile audio or videoplayer, a game console, a Global Positioning System (GPS) receiver, or aportable storage device (e.g., a universal serial bus (USB) flashdrive), to name just a few. Devices suitable for storing computerprogram instructions and data include all forms of non-volatile memory,media and memory devices, including by way of example semiconductormemory devices, e.g., EPROM, EEPROM, and flash memory devices; magneticdisks, e.g., internal hard disks or removable disks; magneto opticaldisks; and CD ROM and DVD-ROM disks. The processor and the memory can besupplemented by, or incorporated in, special purpose logic circuitry.

To provide for interaction with a user, embodiments of the subjectmatter described in this specification can be implemented on a computerhaving a display device, e.g., a CRT (cathode ray tube) or LCD (liquidcrystal display) monitor, for displaying information to the user and akeyboard and a pointing device, e.g., a mouse or a trackball, by whichthe user can provide input to the computer. Other kinds of devices canbe used to provide for interaction with a user as well; for example,feedback provided to the user can be any form of sensory feedback, e.g.,visual feedback, auditory feedback, or tactile feedback; and input fromthe user can be received in any form, including acoustic, speech, ortactile input. In addition, a computer can interact with a user bysending documents to and receiving documents from a device, includingremote devices, that are used by the user.

Embodiments of the subject matter described in this specification can beimplemented in a computing system that includes a back end component,e.g., as a data server, or that includes a middleware component, e.g.,an application server, or that includes a front end component, e.g., aclient computer having a graphical user interface or a Web browserthrough which a user can interact with an implementation of the subjectmatter described in this specification, or any combination of one ormore such back end, middleware, or front end components. The componentsof the system can be interconnected by any form or medium of digitaldata communication, e.g., a communication network. Examples ofcommunication networks include any internal or external network,networks, sub-network, or combination thereof operable to facilitatecommunications between various computing components in a system. Anetwork may communicate, for example, Internet Protocol (IP) packets,Frame Relay frames, Asynchronous Transfer Mode (ATM) cells, voice,video, data, and other suitable information between network addresses.The network may also include one or more local area networks (LANs),radio access networks (RANs), metropolitan area networks (MANs), widearea networks (WANs), all or a portion of the Internet, peer-to-peernetworks (e.g., ad hoc peer-to-peer networks), and/or any othercommunication system or systems at one or more locations.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other. In someembodiments, a server transmits data (e.g., an HTML page) to a clientdevice (e.g., for purposes of displaying data to and receiving userinput from a user interacting with the client device). Data generated atthe client device (e.g., a result of the user interaction) can bereceived from the client device at the server.

While this specification contains many specific implementation details,these should not be construed as limitations on the scope of anyinventions or of what may be claimed, but rather as descriptions offeatures specific to particular embodiments of particular inventions.Certain features that are described in this specification in the contextof separate embodiments can also be implemented in combination in asingle embodiment. Conversely, various features that are described inthe context of a single embodiment can also be implemented in multipleembodiments separately or in any suitable subcombination. Moreover,although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asubcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the embodiments described above should not be understoodas requiring such separation in all embodiments, and it should beunderstood that the described program components and systems cangenerally be integrated together in a single software product orpackaged into multiple software products.

Thus, particular embodiments of the subject matter have been described.Other embodiments are within the scope of the following claims. In somecases, the actions recited in the claims can be performed in a differentorder and still achieve desirable results. In addition, the processesdepicted in the accompanying figures do not necessarily require theparticular order shown, or sequential order, to achieve desirableresults.

What is claimed is:
 1. At least one non-transitory machine accessiblestorage medium having instructions stored thereon, wherein theinstructions, when executed on a machine, cause the machine to: receivedata describing security conditions detected in a particular computingsystem by one or more security sensors; provide a computing systemsecurity dashboard for presentation on a computer display device, thedashboard including a plurality of security view panes, each securityview pane, when expanded, presenting a respective visualization of acorresponding category of security conditions of the particularcomputing system, wherein at least one particular security view pane iscollapsed so as to hide at least a portion of a particular visualizationof particular security conditions related to a particular category, theparticular security view pane is to occupy a smaller area of thedashboard when collapsed than when expanded and is to present aparticular visual indicator, at least when collapsed, summarizing atleast a portion of the particular security conditions represented in thehidden particular visualization, the particular visualization is tographically represent chronological progress of the particular securityconditions over a period of time and at least one indication of whethera critical event has been detected with respect to the chronologicalprogress of the particular security conditions during at least oneportion of the period of time, and the particular security conditionsare for each element of the group consisting of processors, memory,storage, storage access, software update, and network traffic; andidentify a user interaction with the particular collapsed security viewpane prompting the particular security view pane to be expanded in areaand to present the particular visualization.
 2. The storage medium ofclaim 1, wherein the particular visual indicator identifiesrepresentation of a particular security condition in the particularvisualization.
 3. The storage medium of claim 2, wherein the particularsecurity condition is at least one of a critical security event,abnormality, vulnerability, or threat detected by at least one securitytool.
 4. The storage medium of claim 2, wherein the particular visualindicator is a stoplight indicator presented in red for detection of atleast one negative security condition and presented in green in theabsence of at least one detected negative security condition.
 5. Thestorage medium of claim 1, wherein the particular visual indicatoridentifies absence of at least one negative security condition withinthe particular computing system.
 6. The storage medium of claim 1,wherein the particular visualization of the particular security viewpane includes an interactive visualization of particular securityconditions.
 7. The storage medium of claim 6, wherein an interactionwith the particular visualization causes another visualization of theparticular security conditions to be presented within the particularsecurity view pane.
 8. The storage medium of claim 7, wherein theparticular visualization represents the particular security conditionsat a first level of abstraction and the other visualization representsthe particular conditions at a second level of abstraction.
 9. Thestorage medium of claim 6, wherein interaction with the particularvisualization includes inputs in connection with the performance of aparticular security task.
 10. The storage medium of claim 9, wherein theinteraction with the particular visualization causes at least oneinterface to populate the particular security view pane, the interfaceadapted to receive the inputs.
 11. The storage medium of claim 1,wherein a plurality of the security view panes included in the dashboardare in an expanded state.
 12. The storage medium of claim 1, wherein aplurality of the security view panes included in the dashboard are in acollapsed state.
 13. The storage medium of claim 12, wherein eachsecurity view pane in the plurality of collapsed security view panesincludes a respective visual indicator summarizing at least a portion ofthe particular security conditions identified in visualizations of thecorresponding security view pane.
 14. The storage medium of claim 13,wherein each visual indicator mimics a visualization technique used invisualizations of the corresponding security view pane.
 15. The storagemedium of claim 14, wherein at least one visual indicator of theplurality of collapsed security view panes is different from theparticular visual indicator.
 16. The storage medium of claim 1, whereinthe plurality of security view panes comprises a subset of security viewpanes from a set of available security view panes.
 17. The storagemedium of claim 1, the instructions when executed on a machine tofurther cause the machine to: identify an interaction with theparticular security view pane; and change the positioning of theparticular security view pane relative to at least one other securityview pane in the plurality of security view panes based on theinteraction.
 18. The storage medium of claim 17, wherein the changingthe positioning of the particular security view pane causes at least oneother security view pane in the plurality of security view panes to berepositioned to accommodate the changing of the positioning of theparticular security view pane.
 19. The storage medium of claim 17,wherein the interaction moves the particular security view pane to aprimary viewing area included in the dashboard, and positioning asecurity view pane within the primary viewing area causes the securityview pane to be expanded horizontally.
 20. The storage medium of claim19, wherein the primary viewing area occupies a position substantiallynear the top of the dashboard.
 21. The storage medium of claim 19,wherein the primary viewing area is adapted to collapse when notoccupied by at least one security view pane.
 22. The storage medium ofclaim 1, wherein the particular visualization is a trendline.
 23. Amethod comprising: receiving data describing security conditionsdetected in a particular computing system by one or more securitysensors; providing a computing system security dashboard forpresentation on a computer display device, the dashboard to include aplurality of collapsible security view panes, each security view pane,when expanded, to present a respective visualization of a correspondingcategory of security conditions of the particular computing system and,when collapsed, to hide at least a portion of the visualizationpresented when the corresponding security view pane is expanded, eachsecurity view pane to occupy a smaller area of the dashboard whencollapsed than when expanded, at least a particular one of the pluralityof security view panes is to present a particular visualizationrepresenting particular security conditions related to a particularcategory and further present a particular visual indicator, at leastwhen collapsed, summarizing at least a portion of the particularsecurity conditions represented in the hidden particular visualization,the particular visualization graphically represents chronologicalprogress of the particular security conditions over a period of time andat least one indication of whether a critical event has been detectedwith respect to the chronological progress of the particular securityconditions during at least one portion of the period of time, and theparticular security conditions are for each element of the groupconsisting of processors, memory, storage, storage access, softwareupdate, and network traffic; and identifying an interaction with theparticular collapsed security view pane prompting the particularsecurity view pane to be expanded in area and present the particularvisualization.
 24. The method of claim 23, wherein the particularvisualization is a trendline.
 25. A system comprising: at least oneprocessor device; at least one memory element; and a dashboard engineadapted, when executed by the at least one processor device, to receivedata describing security events determined from security conditionsdetected in a particular computing system by one or more securitysensors; provide a computing system security dashboard for presentationon a computer display device, the dashboard to include a plurality ofcollapsible security view panes, each security view pane, when expanded,to present a respective visualization of a corresponding category ofsecurity conditions of the particular computing system and, whencollapsed, to hide at least a portion of the visualization presentedwhen the corresponding security view pane is expanded, each securityview pane is to occupy a smaller area of the dashboard when collapsedthan when expanded, at least a particular one of the plurality ofsecurity view panes is to present a particular visualizationrepresenting particular security conditions related to a particularcategory and further present a particular visual indicator, at leastwhen collapsed, summarizing at least a portion of the particularsecurity conditions represented in the hidden particular visualization,the particular visualization is to graphically represent chronologicalprogress of the particular security conditions over a period of time andat least one indication of whether a critical event has been detectedwith respect to the chronological progress of the particular securityconditions during at least one portion of the period of time, and theparticular security conditions are for each element of the groupconsisting of processors, memory, storage, storage access, softwareupdate, and network traffic; and identify an interaction with theparticular collapsed security view pane prompting the particularsecurity view pane to be expanded in area and present the particularvisualization.
 26. The system of claim 25, wherein the dashboard engineis further adapted to provide a primary viewing area in the dashboard,and positioning of one or more security view panes within the primaryviewing area causes the one or more security view panes positionedwithin the primary viewing area to be horizontally expanded.
 27. Thesystem of claim 25, wherein the dashboard engine interfaces with one ormore security tools adapted to perform one or more security tasks, andthe dashboard engine is further adapted to allow initiation of the oneor more security tasks via the particular security view pane.
 28. Thesystem of claim 25, wherein the particular visualization is a trendline.